Please report security issues privately, not in a public issue or PR.

Use GitHub's private vulnerability reporting: https://github.com/Startrust/trustcode/security/advisories/new

Include the version, the affected component, and a reproduction if you can. We'll acknowledge the report and work with you on a fix and disclosure timeline.

trustcode is local-first and makes no network calls by default; it reads source files and writes a local SQLite index under .trustcode/. Relevant areas for security review include path handling during scanning, the MCP server's input validation, and any future optional features that shell out to external tools (e.g. a language server).